Over the last several months we have been planning to eliminate the use of insecure HTTP by customers with minimal impact to your applications. HTTPS is the way to go. If you follow the relevant security bodies, there is strong agreement from IETF, IAB (even the other IAB), W3C, and the US Government calling for the universal use of encryption by Internet applications, which in the case of the web means HTTPS.
There are two broad elements of this plan:
- Redirection: We started redirecting insecure HTTP requests to http://api.tropo.com to our secure HTTPS endpoints https://api.tropo.com. This redirection itself, while slightly improving the situation, is not a long-term solution, as keys are sent in the initial request.
- Disallow HTTP altogether: As of January 8, 2018, we will stop the redirection. After that Tropo will no longer honor requests to http://api.tropo.com, and these requests will return a 501 (Not Implemented) status code. All API requests have to be made to https://api.tropo.com
What you need to do:
If any of your applications or processes are making requests to http://api.tropo.com to initiate outbound calls, text messages, or to inject signals into your tropo application, you must make sure that you update your system to use https://api.tropo.com instead. Developers who take advantage of Tropo’s REST API endpoints for application setup and configuration must also ensure that they are using the HTTPS version of the api.tropo.com as well.
Tropo scripting and web API applications should not need to change.
Thanks to the many developers who have worked with us during the first phase of this project, and your ongoing willingness to protect your Tropo applications.